|
Posted by =?Utf-8?B?cGFvbG8gdmFsc2VjY2hp on November 14, 2006, 4:18 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi everybody
I'm facing some problems with Kerberos authentication using UDP protocol.
As suggested by Microsoft using TCP protocol the problem has been solved
instead.
Questions:
Why Microsoft uses UDP by default if there are authentication problems?
What would be the global impact on the network (WAN) using Kerberos
authentication through TCP? Would it be a suitable solution?
Any help really appreciated.
|
|
Posted by Gary Reynolds on November 14, 2006, 11:51 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi Paolo
The main reason for using UDP by default is that it's lightweight compared
to TCP. Also the fact most LAN networks are reliable and UDP traffic will
normally make it through without any problems.
UDP starts having problem if the network is not reliable, i.e. busy network,
slow links, or has packet loss. The advantage of using TCP is that it uses
acknowledged delivery. The downside is the protocol overhead to support
acknowledgement mechanism, this increase the amount of traffic that is
transmitted.
One of the problem I've have seen in the past with WAN connection is VPN or
encryption over head, this reduces the overall packet size. The UDP
transmissions don't take into account reduced window size and as a result
packets can be lost. When using TCP both ends agree the max window size,
preventing packet loss.
Overall the impact on the network is an increase in traffic, however, you do
get guaranteed delivery!
Hope his helps
Gary.
> Hi everybody
> I'm facing some problems with Kerberos authentication using UDP protocol.
> As suggested by Microsoft using TCP protocol the problem has been solved
> instead.
>
> Questions:
> Why Microsoft uses UDP by default if there are authentication problems?
> What would be the global impact on the network (WAN) using Kerberos
> authentication through TCP? Would it be a suitable solution?
>
> Any help really appreciated.
>
|
|
Posted by Paul Nelson on November 14, 2006, 6:18 pm
If you were Registered and logged in, you could reply and use other advanced thread options
exceeds what UDP can handle. Kerberos messages get large when PAC data is
included in tickets (which seems to be most of the time now). There is so
little difference in overhead using TCP, that you don't notice it.
Kerberos is one of the few protocols that still uses UDP - most everything
else uses TCP. Because of this, using Kerberos over TCP should always work
correctly.
Paul Nelson
Thursby Software Systems, Inc.
in article AB16D9B0-A2DA-48C0-8015-ADF6022D6FD2@microsoft.com, paolo
valsecchi at paolovalsecchi@discussions.microsoft.com wrote on 11/14/06 3:18
AM:
> Hi everybody
> I'm facing some problems with Kerberos authentication using UDP protocol.
> As suggested by Microsoft using TCP protocol the problem has been solved
> instead.
>
> Questions:
> Why Microsoft uses UDP by default if there are authentication problems?
> What would be the global impact on the network (WAN) using Kerberos
> authentication through TCP? Would it be a suitable solution?
>
> Any help really appreciated.
>
|
|
Posted by Joe Richards [MVP] on November 15, 2006, 12:06 am
If you were Registered and logged in, you could reply and use other advanced thread options
I most often see screwing up the UDP packet delivery. I have had to use
TCP to troubleshoot but it was always to help identify that some network
component was screwing up.
UDP is used initially because that is the standard. It generally works
just fine, in the hundreds of networks I have experienced first hand and
thousands I have dealt with second/third hand the number of times I have
seen UDP issues is less than 15.
TCP does add a good amount of overhead and I would recommend doing a
network impact study before considering switching whole hog to TCP.
Actually I would say go find why UDP isn't working, it will take some
time with a sniffer to find out what device is throwing out the packets.
but once you determine that you can investigate it and correct it. This
can usually, in my experience, be fixed by correcting configurations or
updating firmwares of various network devices.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
paolo valsecchi wrote:
> Hi everybody
> I'm facing some problems with Kerberos authentication using UDP protocol.
> As suggested by Microsoft using TCP protocol the problem has been solved
> instead.
>
> Questions:
> Why Microsoft uses UDP by default if there are authentication problems?
> What would be the global impact on the network (WAN) using Kerberos
> authentication through TCP? Would it be a suitable solution?
>
> Any help really appreciated.
>
|
| Similar Threads | Posted | | Kerberos Delegation | July 6, 2005, 2:06 pm |
| Bug in Kerberos SSP within SSPI?? | July 28, 2005, 4:46 am |
| Kerberos problem | April 22, 2008, 1:02 pm |
| Kerberos Event ID 3 | September 12, 2008, 4:28 pm |
| Kerberos newbie | September 29, 2008, 4:05 pm |
| how Lsass & Kerberos works ? | July 8, 2005, 5:45 am |
| How to set up Kerberos authentication? (some code :) | August 18, 2005, 5:55 pm |
| kerberos time skew | November 10, 2005, 8:16 pm |
| [Gina]How to use Kerberos instead of NTLM ? | April 27, 2006, 9:30 am |
| Kerberos pre authentication question | June 30, 2006, 9:21 am |
|
XML site map